OSPF Overview Summary
OSPF Overview Summary
| Function/Feature |
Description |
| Protocol Type |
Link State |
| RFC / Proprietary |
RFC 2328 |
| Administrative Distance (AD) |
110 |
| Algorithm |
Dijkstra SPF (Shortest Path First) |
| Transport protocol |
IP Protocol 89 |
| Metric |
Cost based on bandwidth |
| Best path selection |
Lowest end-to-end metric |
| Hello interval |
10 seconds or 30 seconds as default
Refer to Network Types |
| Update destination |
224.0.0.5 multicast to DR
224.0.0.6 from DR/BDR to DROTHERS |
| Update interval |
Floods LSDB every 30 mins or triggered changes |
| Full of partial updates |
Partial triggered updates and full updates every 30 mins |
| Triggered updates |
Yes |
| Authentication |
Clear-text or MD5
SHA with key chains |
| Route-tags |
On redistribution into or out oft of OSPF |
- OSPF Process ID is locally significant
- Not same as EIGRP or BGP AS number
- Exception is MPLS L3VPN
- OSPF can be enabled at Process level or Interface level
- Interface level
- Command:
- (config-router)#ip ospf <process id> area <area id>
- Process level
- Command:
- (config-if)#network <address> <wildcard> area <area id>
- Wildcard mask doesn’t relate to subnet mask
- Useful for enabling ospf on multiple interfaces
- Most specific match determines the area
Router-ID
- Node ID in OSPF topology
- Can be configured manually
- Command:
- (config-router)#router-id <router-id>
- Automatic selection if not set manually
- Highest IP address on any non-shutdown loopback interface, not yet allocated as RID by another OSPF process
- Highest IP address on any non-shutdown non-loopback interface, not yet allocated as RID by another OSPF process.
[_/su_spoiler]
OSPF Databases
Neighbor table
- Contains a list of adjacent routers
- Adjacency status
- Neighbor Priority
- Neighbor Address
- Neighbor State
- Neighbor dead time
- Neighbor interface
- Also called Adjacency database
[_/su_spoiler]
Topology table
- Referred to as LSDB (Link State Database)
- Contains all routers and their attached links in the area
- All routers in an area have an identical LSDB
- To pass routes from the topology table to the routing table the routing bit (R) needs to be set on the OSPF database prefix
- If the routing bit is not set the router will show the line:
- "Adv Router is not reachable in topology Base with MTID 0".
- This means the router is not reachable by the SPF tree.
- This could be because of an interface type mis-match. Even though they show the adjacency as up, the routing table will not be populated as they can't resolve the SPF tree.
[_/su_spoiler]
Routing table
- List of best paths
- Forwarding database
| Preference Order |
Routing Code |
Description |
LSAs |
| 1 |
O |
Intra-area |
Type 1 - RouterType 2 - Network |
| 2 |
O IA |
Inter-area |
Type 3 - SummaryType 4 - ASBR Summary |
| 3 |
O E1 |
Type 1 External |
Type 5 - External |
| 4 |
O N1 |
NSSA Type 1 External |
Type 7 - NSSA External |
| 5 |
O E2 |
Type 2 External |
Type 5 - External |
| 6 |
O N2 |
NSSA Type 2 External |
Type 7 - NSSA External |
- Type 1 and NSSA Type 1 External routes
- Metric changes throughout OSPF domain
- Type 2 and NSSA Type 2 External routes
- Default External LSA
- Metric stays same throughout OSPF domain
[_/su_spoiler]
OSPF Metric
OSPF Metric
- SPF calculation is done on the end-to-end cost
- Interface Cost = Reference Bandwidth / Interface Bandwidth
- Default Cisco reference cost is 100Mb (100)
- Recommended to configure same on all nodes in OSPF domain
| Option |
Command |
Where applied |
| Interface bandwidth |
(config-if)#bandwidth <#> |
Interface |
| Interface Cost |
(config-if)#ip ospf cost <#> |
Interface |
| Process Auto-cost |
(config-router)#auto-cost reference-bandwidth <1-4294967 (Mbps)> |
OSPF Process |
| Process Neighbor Cost |
(config-router)#neighbor <neighbor ip> cost <#> |
OSPF Process |
- Process neighbor-cost is only available on Point-to-Multipoint and Point-to-Multipoint Non-broadcast network types
OSPF Neighbors
HELLO
- Multicast to 224.0.0.5
- Discovers neighbors and builds adjacencies
- Monitors adjacencies with heartbeats
- Packet contains:
- Local Router-ID
- Local Area ID
- Local Interface subnet mask
- Local interface priority
- Hello interval
- Dead interval
- Authentication Type & Password
- DR/BDR Address
- Options (e.g. Stub Flag)
- Router-ID's of other neighbors on the link
[__/su_spoiler]
2. DBD (Database Descriptor)
DBD (Database Descriptor)
- Used to exchange LSA headers during initial topology exchange
- Includes LSA version numbers
- Checks for database synchronization between routers
[__/su_spoiler]
3. LSR (Link-State Request)
LSR (Link-State Requests)
- Requests specific detailed LSAs
[__/su_spoiler]
4. LSU (Link-State Update)
LSU (Link-State Update)
- Sends specific detailed link-state records
- Sent in response to LSR message
- Contains one or more LSAs (Link State Advertisement)
[__/su_spoiler]
5. LSACK (Link-State Ackowledgement)
LSAck (Link State Acknowledgement)
[__/su_spoiler]
[_/su_spoiler]
- For OSPF routers to form adjacencies, they must agree on the following:
- Same primary subnet including mask
- Area ID
- Authentication
- HELLO and DEAD intervals
- Stub/NSSA flag
- Must not have the same RID
- MTU must match for DBD packets to exchange correctly
- Parameter not part of the Hello process
- Can be disabled per-interface
- (config-if)#ip ospf mtu-ignore
- OSPF can block adjacencies being created by ignoring hello packets and not sending any
- Command:
- (config-router)#passive-interface <IF>
- DOWN
- Initial state
- No Hello's received from neighbor
- ATTEMPT
- Unicast Hello sent, but none received from neighbor
- Only in NBMA networks
- Nonboradcast
- Point-to-multipoint nonbroadcast
- INIT
- Hello received from neighbor
- doesn't contain receiving routers RID
- Not yet bidirectional
- TWO-WAY
- Received Hello from neighbor
- Own router ID in HELLO packet received
- Bidirectional and stable
- EXSTART
- Master/Slave roles determined
- Master has higher router id
- Master chooses sequence number for the DBD packets that are used for actual LSA exchange
- EXCHANGE
- DBD packets sent with local LSDB
- DBD sequence number is used for reliable acknowledgement/re-transmission
- LOADING
- Exchange of LSRs to request more information about a link
- Exchange of LSUs to provide updates to the LSR's
- FULL
- Neighbors fully adjacent
- Databases are synchronized
- Not all neighbors will reach this state
[__/su_spoiler]
DR/BDR Election
- Election based on:
- Interface Priority
- Can be value of 0-255
- Default priority is 1
- 0 means router is ignored in election process
- Higher value is preferred
- Command:
- (config-if)#ip ospf priority <#>
- (config-router)#neighbor <ip address> priority <ospf priority> (NBMA networks only)
- Router-ID
- Used as a tie-breaker is priorities on a segment are the same
- Higher value is preferred
- Election performed locally based on information collected from other neighbors
- Algorithm ensures all routers arrive at the same conclusion
- Uses WAIT timer to stop pre-emption of current DR/BDR
- During WAIT interval
- Set to Dead interval on interface
- Collects RIDs and priorities of all routers on segment
- BDR is elected first, then promotes itself to DR
- When a DR fails, the BDR is promoted to the DR
- A new election is held for the BDR
Types of Neighbors on Multi-Access Link
- Designated Router (DR)
- Forms adjacency with all routers on link
- Listens for LSUs (224.0.0.6)
- Re-floods LSUs back to the segment (224.0.0.5)
- Does not modify next-hop value
- Backup Designated Router (BDR)
- Used for redundancy of DR
- Doesn't re-flood LSUs
- DROthers
- All other routers on the link
- Form FULL adjacency with DR & BDR only
- Stops at 2-Way adjacency with each other
[__/su_spoiler]
- Multicasts LSU packet to neighbors about change
- Acknowledges receipt of LSU with LSAck
- Floods LSU to all neighbors
- Router updates LSDB
- Recomputes SPF algorithm - separate for each area
- Updates routing tables
[__/su_spoiler]
OSPF Graceful Restart & NSF
Graceful Restart & NSF
- Allows you to restart OSPF process while neighbors still forward packets
- Cisco used Non-Stop Forwarding (NSF) as its own Graceful Restart
- States:
- Router in graceful restart mode
- Neighbors are in helper mode when device is restarting
- Only certain devices support NSF/GR
- Catalyst 6500
- ISR 7200
- ASR 10000,12000
- All devices support helper mode
- Command on NSF/GR router:
- Command on neighbor:
- (config-router)#nsf [cisco | ieft] helper
[__/su_spoiler]
[_/su_spoiler]
Network Types Overview Table
| Interface Type |
Cisco / RFC |
DR / BDR |
Hello |
Dead |
Manual Neighbor |
Multicast / Unicast |
| Broadcast |
Cisco |
Yes |
10 |
40 |
No |
Multicast |
| Point-to-Point |
Cisco |
No |
10 |
40 |
No |
Multicast |
| Non-Broadcast |
RFC |
Yes |
30 |
120 |
Yes |
Unicast |
| Point-to-Multipoint |
RFC |
No |
30 |
120 |
No |
Multicast |
| Point-to-Multipoint Non-Broadcast |
Cisco |
No |
30 |
120 |
Yes |
Unicast |
| Loopback |
Cisco |
No |
- |
- |
- |
- |
| Demand-Circuit |
RFC |
No |
- |
- |
- |
- |
- OSPF network types do not need to match to form and adjacency
- They do need to be compatible
- Usage of Type 2: Network LSA determines if network types are compatible
- Generated by DR
- Describes who is adjacent with DR
- Reduces number of adjacencies
- Network types that use LSA Type 2:
- Network types that do not use LSA Type 2:
- Point-to-Point
- Point-to-Multipoint
- Point-to-Multipoint Non-Broadcast
Network Type: BROADCAST
- Default on Ethernet
- Multicast Hello and update packets
- 224.0.0.5 - Sent by DR and BDR
- All OSPF Routers multicast group
- 224.0.0.6 - Sent by DROthers
- All OSPF Designated Routers multicast group
- One subnet
- Command:
- (config-if)#ip ospf network broadcast
[__/su_spoiler]
Network Type: NON-BROADCAST
Network Type: NON-BROADCAST
- Default on Frame-Relay physical and multipoint subinterfaces
- Unicast Hellos packets (manual neighbor)
- One subnet
- Command:
- (config-if)#ip ospf network nonbroadcast
[__/su_spoiler]
Network Type: POINT-TO-POINT
Network Type: POINT-TO-POINT
- Default on HDLC, PPP, GRE and Frame Relay point-to-point subinterfaces
- Multicast Hello packets
- Different subnets on each sub-interfaces
- Only allows 2 devices on a link
- Command:
- (config-if)#ip ospf network point-to-point
[__/su_spoiler]
Network Type: POINT-TO-MULTIPOINT
Network Type: POINT-TO-MULTIPOINT
- Usually best design on NBMA networks
- Treats network as a collection of P2P links
- Multicast Hello packets
- One subnet
- Special next-hop processing
- Command:
- (config-if)#ip ospf network point-to-multipoint
[__/su_spoiler]
Network Type: POINT-TO-MULTIPOINT NON-BROADCAST
Network Type: POINT-TO-MULTIPOINT NON-BROADCAST
- Allows for per-Virtual-Circuit OSPF cost over NBMA
- Unicast Hello packets (manual neighbor)
- One subnet
- Command:
- (config-if)#ip ospf network point-to-multipoint nonbroadcast
[__/su_spoiler]
Network Type: LOOPBACK
- Advertises link as /32 stub host route
- Default on Loopback interfaces only
- Not a configurable option
- To disable this behaviour use the command:
- (config-if)#ip ospf network point-to-point
[__/su_spoiler]
Special Network: DEMAND-CIRCUIT
Special Network: DEMAND-CIRCUIT
- OSPF can be enabled to support demand circuits such as ISDN or dial-up
- Prevents LSA flooding
- For Point-to-Point and Point-to-Multipoint networks
- Hello packets are suppressed
- Allows the circuit to close when no application data is traversing the link
- Negotiated as part of the neighbor establishment
- Only one OSPF router needs to have it enabled on the segment
- If routers on segment don't support it, it will just ignore the option in the HELLO packet but will still form adjacency
- Shows the following in ospf interface output:
- Configured as a demand circuit
- Run as a demand circuit
- DoNotAge LSA allowed
- Command:
- (config-if)#ip ospf demand-circuit
[__/su_spoiler]
[_/su_spoiler]
OSPF Link State Advertisements
Link State Advertisements
- Each LSA (Link State Advertisement) entry has its own timer age
- Default 30mins (displayed in seconds - 1800)
- Refreshed individually once age timer expires
- Each time sequence number increments by 1
- If not refreshed within 60mins, LSA is removed from LSDB (Link State Database)
- LSAs are flooded per area
- OSPF doesn't use split horizon
- Self-originated LSAs are dropped
- LSAs are flooded reliably, using acknowledgements
- Triggered updates are sent when changes occur
- Not all LSA changes require SPF to recalculate
- e.g. link up/down events vs sequence number change
- When LSAs are received they are checked against the database for changes such as:
- Sequence Number
- Used to track old vs new LSAs
- Age
- Used to keep information new and withdraw old information
- Periodic flooding occurs every 30 minutes
- LSA's that reach MaxAge (60 minutes) are withdrawn
- Checksum
- Used to avoid transmission and memory errors
LSA Recursion
- Forwarding address field in LSA determines who the next recursive lookup should performed towards
- Normally set to 0.0.0.0
- Next lookup should be performed towards the advertising router
[__/su_spoiler]
Type 1 - Router LSAs
- Advertised by every router in the area
- Includes directly attached links in that area/link types:
- Point-to-point connection to another router
- Connection to transit network
- Connection to a stub network
- Virtual link
- Includes a list of neighbors in that area
- Doesn't cross ABR
- Identified by Router ID of originating router (Link-State ID (LSID))
- Includes a cost attribute for each link
- Value of 0 - 65535 (0xfffff)
- Cisco implementation uses bandwidth-based cost
[__/su_spoiler]
Type 2 - Network LSAs
- Advertised by DR
- Only created for transit links where a DR has been elected
- Describes who is adjacent with DR
- Includes what cost is to DR
- Includes subnet mask of transit link
- Doesn't cross ABR
- The following network types do not use LSA Type 2
- Point-to-Point
- Point-to-Multipoint
- Point-to-Multipoint Nonbroadcast
- Used to reduce redundant information in the database
- n*(n+1)/2 and flooding scalability issue
[__/su_spoiler]
Type 3 - Network Summary LSAs
Type 3 - Network Summary LSAs
- Advertised by the ABR of originating area
- Reinjected by subsequent ABRs to flood throughout the OSPF domain
- Floods network information outside an area
- Contains network number and mask
- Includes ABRs cost to reach that network
- Represents subnets described in Type 1 and Type 2 LSAs
- Routers calculate the cost of a subnet in Type 3 LSA by adding the following:
- The cost listed in the Type 3 LSA
- The cost to the ABR originating the Type 3 LSA
- Rules for processing Type 3 LSAs:
- ABR only uses Type 3 LSAs received over a backbone area in its SPF calculation, but are still stored in ABRs LSDB and flooded within non-backbone area as usual
- Only intra-area (local area) routes from non-backbone areas are advertised to backbone area
- Inter-area and intra area routes are advertised from backbone to non-backbone areas
- 2nd rule is direct consequence of first.
- If LSA is not installed in Global RIB, it will not be re-injected to other areas by other ABRs
- Distance Vector behaviour
- Default behaviour can be overridden
- Command:
- (config-router)#local-rib-criteria inter-area-summary
[__/su_spoiler]
Type 4 - ASBR Summary LSAs
Type 4 - ASBR Summary LSAs (Autonomous System Boundary Router)
- Advertised by an ABR
- Describes ABRs reachability to ASBRs in other areas
- Used to advertise the cost to the ASBR
- Regenerated by subsequent ABRs to flood throughout the OSPF domain
- The Link State ID is the router ID of the described ASBR
- SPF not run to reach Inter-area ASBR
[__/su_spoiler]
Type 5 - External AS LSAs
- Advertised by originating ASBR
- Advertise networks from other Autonomous Systems
- Flooded throughout to all non-stub areas
- The advertising Router ID (ASBR) is unchanged throughout the AS
- A Type 4 LSA is is needed to find the ASBR for other areas
- By default, routes are not summarized
- LSA Contains:
- Metric
- Value to reach prefix
- Metric type:
- Type 1 = E1
- Type 2 = E2 (Default)
- Forward Address:
- Who should I route towards to reach the prefix
- If set to 0.0.0.0 use the Advertising Router who originated the LSA
- (Advertising Router is recursed with LSA Type 4)
- Route Tag
- OSPF External Type 1 vs. Type 2
- Type 1 (E1)
- Metric changes throughout domain
- Takes the cost the ASBR reports in plus the cost to the ASBR (in Type 4 LSA)
- Type 1 always preferred over Type 2
- Type 2 (E2)
- Metric stays the same throughout the domain
- Takes just the cost the ASBR reports
- If there is a tie, then take the cost to the ASBR (Forwarding Metric) as well
- If still tied then router with highest RID is preferred
- Default option for Cisco routers using redistribution
[__/su_spoiler]
Type 7 - NSSA External LSAs
Type 7 - NSSA External LSAs (Not-So-Stubby-Area)
- Advertised by the originating ASBR in the NSSA area
- Used to advise networks from other AS's injected into the NSSA
- Has the same format as a Type 5 External LSA
- Translated to LSA Type 5 on first NSSA subsequent ABR
- This ABR becomes an ASBR as it is now injecting Type 5 LSAs
- Type 7 LSA not allowed out of NSSA
- 'P' bit (Propagate) set in LSA by ASBR to allow 7->5 translator
- Where there are multiple ABRs redistributing Type 7 into Area 0, the router with the highest RID will be elected as the translator for Type 7 to Type 5.
- The translator may still not be the best path to reach the Link State ID
- Can set 'P' bit on individual prefixes using route-maps or summary-address
- Command:
- (config-route-map)#set level nssa-only
- (config-router)#summary-address <prefix> <subnet mask> nssa-only
- By default, routes are not summarised
- If LSA prefix is not in Global Routing Table (GRT) by default it will not translate even if 'P' bit is set
- Example would be a static route (preferred AD) has same route
- To bypass and translate even if not installed in GRT manually
- Command:
- (config-router)#local-rib-criteria nssa-translation
- RFC3101 - allows multiple NSSA ABRs to perform translation
- Required to be configured on all NSSA ABRs
- Sets 'NT' bit in LSAs
- Command:
- (config-router)#area <#> nssa translate type 7 always
[__/su_spoiler]
Other Types of LSA
- Type 6 - Multicast LSA
- Not implemented by most vendors
- Type 8 - External Attributes LSA
- Not implemented by Cisco
- Used for BGP-to-OSPF redistribution to preserve BGP attributes of redistributed networks
- Types 9, 10, 11 - Opaque LSAs
- Used for extensibility
- Type 9
- Link local flooding scope
- Type 10
- Area local flooding scope
- Adapted for MPLS Traffic Engineering
- Type 11
- Autonomous System flooding scope
- Same scope as Type 5 LSAs
[__/su_spoiler]
[_/su_spoiler]
OSPF Areas
- Areas provide a hierarchy and scalability to OSPF
- Areas define a flooding domain
- All devices in the area agree on the topology
- Limits impact to router resources and speeds up convergence
- SPT calculation path for areas:
- Type 5 LSA recurses to Type 4 LSA
- Type 4 LSA recurses to Type 3 LSA
- Type 3 LSA recurses to Type 1 LSA
Backbone/Normal Area
- Area 0 (0.0.0.0)
- Used to summarize topology information between other areas
- Traffic from one area to another must pass through Area 0
- Must be contiguous
- Backbone/Normal Area LSAs allowed:
- Type 1: Router LSAs
- Type 2: Network LSAs
- Type 3: Network Summary LSAs
- Type 4:ASBR Summary LSAs
- Type 5: External LSAs
[_/su_spoiler]
Stubby Area
- Doesn't accept information about routes external to the AS
- Stubby Areas can't:
- Contain ASBRs
- Be transient links/backbone area
- Have any virtual links
- Stubby Area LSAs allowed:
- Type 1: Router LSAs
- Type 2: Network LSAs
- Type 3: Network Summary LSAs
- Stubby Area LSAs blocked:
- Type 4: ASBR Summary LSAs
- Type 5: External LSAs
- ABR injects a default route in to the area (0.0.0.0/0) as Type 3 LSA
- Command:
- (config-router)#area <#> stub
- No 'E' (External) bit flag set in Hello messages
[_/su_spoiler]
Not-So-Stubby-Area
- NSSA is an addendum to OSPF RFC3101
- Defines LSA Type-7 which is only allowed in NSSA area
- NSSA allows ASBRs
- Doesn't originate a default route as standard
- ABR converts LSA Type-7 into LSA Type-5 which is then propagated through OSPF domain
- Type 7 LSA appears in routing table as ON2 or ON1
- NSSA LSAs allowed:
- Type 1: Router LSAs
- Type 2: Network LSAs
- Type 3: Network Summary LSAs
- Type 7: NSSA External LSAs
- NSSA LSAs blocked:
- Type 4: ASBR Summary LSAs
- Type 5: External LSAs
- To set area to NSSA
- Command:
- (config-router)#area <#> nssa
- 'N' bit (NSSA) flag set in Hello messages
- Set area to NSSA and inject a default route in to the area
- Set as Type 7 LSA
- Command:
- (config-router)#area <#> nssa default-information originate
- Disable Type 7 to Type 5 translation by removing the P-Bit (Propagate) from the prefix. Used for traffic engineering where multiple exits from NSSA
- Command:
- (config-router)#summary-address <network address> <mask> nssa-only
- Local router not allowed to insert Type 7 LSAs in NSSA area
- Command
- (config-router)#area <#> nssa no-redistribution
[_/su_spoiler]
Totally Stubby Area
- Cisco proprietary
- Doesn't accept external AS routes or summary routes from other areas internal to the AS
- Totally Stubby Areas have same restrictions as Stub areas:
- Totally Stubby Area LSAs allowed:
- Type 1: Router LSAs
- Type 2: Network LSAs
- Totally Stubby Area LSAs blocked:
- Type 3: Network Summary LSAs
- Type 4: ASBR Summary LSAs
- Type 5: External LSAs
- ABR injects a default route in to the area (0.0.0.0/0) as a Type 3 LSA
- Only needs configuring on the ABR
- Command:
- (config-router)#area <#> stub no-summary
[_/su_spoiler]
5: Totally Not-So-Stubby-Area
Totally-NSSA-Area
- Cisco proprietary
- Totally-NSSA LSAs allowed:
- Type 1: Router LSAs
- Type 2: Network LSAs
- Type 7: NSSA External LSAs
- Totally-NSSA LSAs blocked:
- Type 3: Network Summary LSAs
- Type 4: ASBR Summary LSAs
- Type 5: External LSAs
- ABR injects a default route to the NSSA (0.0.0.0/0) as Type 3 LSA
- Only needs configuring on the ABR
- Command:
- (config-router)#area <#> nssa no-summary
[_/su_spoiler]
Virtual Links
- Used to solve dis-contiguous OSPF Area 0
- Unicast multi-hop OSPF adjacency
- Not a tunnel so not traffic transported along virtual link
- Area becomes a transit area
- Carried by a non-backbone area
- Can not be created over a Stub or NSSA area
- Can not run over more than one area
- If need to cross more than one area, more virtual links need to be setup
- Hello protocol doesn't operate on virtual link
- LSAs learned through virtual links have the DoNotAge (DNA) option set
- prevents excessive flooding
- Disables the flooding every 30 minutes
- Virtual links are configured on ABRs
- Created between the Router-ID's of each router
- Transit area must not have filtering applied
- LSA 3 filters, distribute lists, etc
- Sends Type 1 LSAs with the 'V' bit set
- Viewing the LSA will show the router is a Virtual Router Edge
- Inherit cost from SPT cost between the 2 endpoints
- Cost must be below 65536 (0xffff)
- Cost can be exceeded
- E.g. Reference bandwidth is 40Gb and link traverses an E1 line
- If cost is above 65535 Virtual Link will not establish
- Area with Virtual Link through can be used as a inter-area transit if a shorter path can be found and capability transit is enabled
- Transit capability is enabled by default
- Design case when feature is used is very specific and has to do with a shorter Inter-Area path being found via a non-backbone router as compared to the target router of a virtual link.
- This feature can be disabled manually
- For the entire area to not be a transit it needs to be configured on the Virtual Transit Link Nodes that built the VL adjacency
- Will get propagated in Type 1 LSA
- For the local device only it needs to be configured on any other router in the area
- Command:
- (config-router)#no capability transit
- This will prevent the area or local device being used as a transit if a shorter path is available forcing the path through the Virtual Link
- Can not summarise on a transit area unless it is Area 0
[_/su_spoiler]
OSPF Authentication and Security
- Type 0: null (no authentication)
- Type 1: simple password authentication
- Type 2: cryptographic authentication (MD5/SHA)
Can be enabled 2 different ways:
- Type 1: Cleartext (simple) password
- Command:
- (config-router)# area <#> authentication
- Type 2: MD5 password hash
- Command:
- (config-router)# area <#> authentication message-digest
[_/su_spoiler]
- Overrides global process (if enabled)
- Type 1: Cleartext (simple) password
- Command:
- (config-if)# ip ospf authentication
- Type 2: MD5 password hash
- Command:
- (config-if)# ip ospf authentication message-digest
[_/su_spoiler]
- Password is always configured on the link
- Type 1: Cleartext (simple) password
- Command:
- config-if)# ip ospf authentication-key <key>
- Type 2: MD5 password hash
- Key ID's must match
- Command:
- (config-if)# ip ospf message-digest-key <key ID> md5 <key>
Virtual-Link Authentication
- To apply authentication on Virtual Link
- Virtual Link in an Area 0 interface
- Type can be configured globally or at the interface
- Globally
- Command:
- (config-router)#area 0 authentication message-digest
- Interface
- Type 1: Cleartext (simple) password
- Command
- (config-router)#area <#> virtual-link <router-id> authentication authentication-key
- Type 2: MD5 password hash
- Command:
- (config-router)#area <#> virtual-link <router-id> authentication message-digest message-digest-key <key ID> [md5] <key value>
- Always clear the VL after authentication as it is a demand circuit
[_/su_spoiler]
- Keychains can be used with OSPF
- Can be used to set:
- Key IDs (must match)
- Cryptographic algorithms
- Key lifetimes
- Can have multiple keys, with automatic key rotation based on time
- Keychain set on interface
- Commands:
- (config)#key chain <keychain name>
- (config-keychain)# key <key ID>
- (config-keychain-key)# keystring <key>
- (config-keychain-key)# cryptographic-algorithm <algorithm>
- (config-keychain-key)#send-lifetime
- (config-if)# ip ospf authentication-key-chain <keychain name>
- #show key chain
[_/su_spoiler]
- OSPF can use TTL security to check packets
- If packet fails TTL security check, it is dropped
- Only packets with a TTL of 255 are accepted by default
- Can be configured manually
- Can be enabled globally at the process level or at the interface level
- Process Level
- Can be enabled on all interfaces by default and then disabled by exception
- Command:
- (config-router)#ttl-security all-interfaces [hops <TTL #>]
- (config-if)#ip ospf ttl-security disable
- Interface Level
- Command:
- (config-if)#ip ospf ttl-security [hops <TTL #>]
- To enable TTL security on Virtual or Sham links:
- Command:
- (config-router)#area <#> virtual-link <RID> ttl-security [hops <TTL #>
- (config-router)#area <#> sham-link <sham source> <sham destination> ttl-security [hops <TTL #>
[_/su_spoiler]
OSPF NLRI Manipulation
OSPF NLRI Manipulation
- Summarization and Filtering can only be applied on ABRs and ASBRs
- Only by the originating ABR or ASBR of the LSA
- Can not summarise on a transit area unless it is Area 0
Summarization
- Internal Summarization
- Inter-area OSPF Topology summarization
- Hides topology of other areas
- Summarizes Type 1 LSAs into Type 3 LSAs
- Not Type 3 to Type 3
- Performed on ABRs of originating areas
- Command:
- (config-router)# area <#> range <network> <mask> [cost <cost>]
- (#-has to be source area)
- External Summarization
- NLRI summarization
- Summarization can only happen between area or between external domains
- Summarizes Type 5 into Type 5 LSAs
- Summarizes Type 7 into Type 7 LSAs
- Performed on ASBRs who is the originator
- ASBR/ABR performing Type 5 to Type 7 translation
- Command:
- (config-router)# summary-address <network> <mask>
Local Discard Route
- When summarizing, OSPF creates a local discard route to Null0
- Used to drop traffic if longest match is summary
- Always need a more specific route to prefix
- Summary router unable to fall back to default route
- This feature can be disabled
- Command:
- (config-router)# no discard-route [internal | external]
- Internal = area range
- External = summary address
- Can be used for Traffic Engineering
- Prefer longer match over shorter match
- Can use for filtering routes
- Command:
- (config-router)#area <#> range <network> <mask> not-advertise
- (config-router)#summary-address <network> <mask> not-advertise
- Enforce area-local scope for NSSA routes
- Changes the P-Bit (Propagate Translator)
- Command:
- (config-router)#summary-address <network> <mask> nssa-only
[_/su_spoiler]
Default Routing
- OSPF can inject a default route throughout the OSPF domain
- Default route needs to first exist before it can redistribute throughout OSPF domain
- May need to create a 0.0.0.0/0 route to Null0 first
- Can be by-passed using the always keyword
- Command:
- (config-router)#default-information originate [always]
Conditional Default Routing
Conditional Default Routing
- Same method as default routing except can use a route map to first check a specific route exists
- No need for always keyword, route-map replaces this
- Create a prefix-list to first check if a route exists in the routing table
- Command:
- (config)#ip prefix-list <prefix-list name> permit <network/CIDR>
- Apply to a Route-Map
- Command:
- (config)#route-map <route-map name> permit <#>
- (config-route-map)#match ip address prefix-list <prefix-list name>
- Apply Route-Map to default route redistribution
- Default route will only be redistributed if conditions of route-map are met
- Command:
- (config-router)#default-information originate route-map <route-map name>
[__/su_spoiler]
Reliable Conditional Default Routing
Reliable Conditional Default Routing
- Same method as conditional default routing with addition of IP SLA tracking of prefix
- Create IP SLA for ICMP
- (config)#ip sla <IP SLA #>
- (config-ip-sla)#icmp-echo <ip address to be tested>
- (config-ip-sla-icmp)#frequency <# seconds to run ping>
- Create IP SLA schedule
- (config)#ip sla schedule <IP SLA #> life forever start-time now
- Create Track object to track state of object
- track <track #> ip sla <IP SLA #> state
- Create static route to track (can be just a place-holder address)
- (config)#ip route <placeholder network address> <placeholder subnet mask> Null 0 track <track #>
- Create prefix-list to place holder address
- (config)#ip prefix-list <prefix-list name> permit <placeholder network/cidr>
- Create Route-Map to use with redistribution
- (config)#route-map <route-map name> permit <#>
- (config-route-map)#match ip address <prefix-list name>
- Redistribute default route based on route-map
- (config-router)#default-information originate route-map <route-name name>
[__/su_spoiler]
[_/su_spoiler]
Stub Area Traffic Engineering
Stub Area Traffic Engineering
- Can perform TE to manipulate routes where there are multiple equal cost exit points or ABRs to a Stub area using:
- Longest Match Routing
- Select one ABR exit to suppress LSA Type 3
- Area Default Cost
- Default is 1
- Commands:
- (config-if)#ip ospf cost <#>
- (config-router)#area <#> default-cost <#>
[_/su_spoiler]
Flood Reduction
- Sets the DoNotAge (DNA) bit in the LSA
- Removes the periodic flood of the database every 30 minutes to refresh all LSAs
- Enabled on links with OSPF neighbors attached
- Command:
- (config-if)#ip ospf flood-reduction
[_/su_spoiler]
OSPF Filtering can only be applied on ABRs and ASBRs
Prefix Filtering: Distribute Lists
Prefix Filtering: Distribute Lists
- Use the distribute-list function to suppress routes
- Doesn't filter LSAs or effect the LSDB
- Command:
- (config-router)#distribute-list prefix <prefix name> in [interface]
- (config-router)#distribute-list route-map <route-map name> in
- Route-map option can't refer to an interface so must be references in the route-map itself using the command:
- (config-route-map)#match ip route-source <RID of router>
[_/su_spoiler]
Prefix Filtering: Administrative Distance
Administrative Distance Filtering
- Can change the AD of specific prefixes, from specific sources going into the RIB
- Create standard ACL to capture prefix to be adjusted
- Command:
- (config)#access-list 10 permit <prefix to filter>
- Change the AD of prefix, specifying the prefix originator
- Set AD to 255 to not install prefix in RIB
- Command:
- (config-router)#distance <AD 1-255> <LSA Source> 0.0.0.0 <ACL of prefix>
[_/su_spoiler]
Prefix Filtering: Type-3 LSA Filtering
Type-3 LSA filtering
- Prevents the ABR from generating specific Type 3 LSAs
- Command:
- (config-router)#area <#> filter-list prefix <prefix-list name> [in|out]
[_/su_spoiler]
Prefix Filtering: Full LSA Database Filtering
Full LSA Database Filtering
- Prevents LSAs being sent to a specific neighbor or a range of neighbors on a multiaccess link
- Blocks one-way only, can still receive LSAs from neighbor
- Specific neighbor on NBMA network:
- Command:
- (config-router)#neighbor <neighbor address> database-filter all out
- All neighbors on a multi-access link
- Command:
- (config-if)#ip ospf database-filter all out
- Need to clear the ospf process after configuring
[_/su_spoiler]
Prefix Filtering: Summarization
Filtering with Summarization
- Use the not-advertise function of summarization
- Command:
- (config-router)# area <originating area #> range <network> <mask> not-advertise
[_/su_spoiler]
Prefix Filtering: NSSA External
NSSA External Prefix Filtering
- Can filter ABR to not send Type 7 LSAs into NSSA but still create Type 5 (if ABR)
- Command:
- area <nssa area> nssa no-redistribution
[_/su_spoiler]
Prefix Filtering: NSSA Forwarding Address Suppression
NSSA Forwarding Address Suppression
- Forwarding address field determines who the next recursive lookup should performed towards
- Normally set to 0.0.0.0
- Next lookup should be performed towards the advertising router
- If Forward Address value is non-zero but unable to recurse to it (as in NSSA area), the Forward address can be suppressed during the Type7 to Type5 translation and set to 0.0.0.0, forcing the next lookup to be the advertising router
- Command:
- (config-router)#area <nssa area> nssa translate type7 suppress-fa
[_/su_spoiler]
Prefix Filtering: Stub Router Advertisement
Stub Router Advertisement
- Used to prevent traffic black-holes caused by device add from the OSPF topology
- Causes a router to advertise a maximum metric for all non-stub destinations
- Transit traffic will not flow through this router unless it is the only possible path
- Command:
- (config-router)#max-metric router-lsa
- Can be controlled to advertise max metric for a certain time period (in seconds) after a reload
- Command:
- (config-router)#max-metric router-lsa on-startup <5-86400>
[_/su_spoiler]
Prefix Filtering: Transit Prefix Suppression
Transit prefix suppression
- Prevents router from advertising all IP prefixes except:
- Loopback addresses
- Secondary IP addresses
- Passive Interfaces
- Command:
- (config-router)# prefix-suppression
- (config-if)#ip ospf prefix-suppression
[_/su_spoiler]
Prefix Filtering: Prefix Limiting
Limit number or prefixes learned
- Command:
- (config-router)# redistribute maximum-prefix <# of prefixes> <% warning message>
[_/su_spoiler]
Prefix Filtering: LSA Limiting
Limit number of LSAs learned
- Command:
- (config-router)#max-lsa <#>
[_/su_spoiler]
OSPF Convergence
OSPF Convergence
Hello and Dead Timers
- Can manually configure Hello and Dead timer on interface (in seconds)
- Needs to be the same for all neighbors on that interface
- Command:
- (config-if)#ip ospf hello <1 - 65535>
- (config-if)#ip ospf dead-interval <1 - 65536>
- Can also configure sub-second Hello
- Minimum Dead time is 1 second, use minimal keyword
- Can specify how many Hellos are sent 1 using hello-multiplier keyword
- Command:
- (config-if)#ip ospf dead-interval minimal hello-multiplier <3 - 20>
[_/su_spoiler]
SPF Throttling
- SPF runs after a default of 5 seconds after receiving updated LSA
- Subsequent delay increases by 10 seconds
- Based on 3 parameters:
- spf-start
- Default of 5 seconds (5000 msec)
- Time until SPF can run after receiving first LSA update
- spf-hold
- Default of 10 seconds (10000 msec)
- Time to increase the spf-start time by if receiving subsequent LSA update
- spf-max-wait
- Default of 10 seconds (10000 msec)
- Considered stable network if no topology change is detected within this time since SPF ran
- Can be manually configured (in msec)
- Command:
- (config-router)#timers throttle spf <spf-start> <spf-hold> <spf-max>
[__/su_spoiler]
LSA Throttling
- Matches SPF throttling scenario
- Driven by 3 parameters:
- start-interval
- Default of 0 seconds (immediately)
- When to originate an updated LSA
- hold-interval
- Default of 5 seconds (5000 msec)
- Time before LSA can be re-generated and updated after last LSA generated
- max-interval
- Default of 5 seconds (5000 msec)
- Max time the hold interval can accumulate to
- Can be configured manually
- Command:
- (config-router)#timers throttle lsa <start-interval> <hold-interval> <max-interval>
- Control minimum interval of specific updates if 2 or more same LSAs arrive less than <milliseconds> apart
- Command:
- (config-router)#timers lsa arrival <0-600000 milliseconds>
- Control the rate between a group of LSAs being refreshed
- Command:
- (config-router)#timers pacing lsa-group <10-1800 secs>
- Control minimum interval of consecutive LSA updates in OSPF transmission queue
- Command:
- (config-router)#timers pacing flood <5-100 milliseconds>
- Time interval to retransmit lost LSAs
- Command:
- (config-router)#timers pacing retransmission <5-200 milliseconds>
[__/su_spoiler]
Incremental SPF
- Every time topology changes a full SPF runs
- including parts of the SPT (Shortest Path Tree) that weren't effected
- increases CPU load
- Incremental SPF can run a partial SPF on only areas of the SPT that are affected
- Command:
[__/su_spoiler]
[_/su_spoiler]
OSPFv3
OPSFv3
- Adds additional support for IPv6
- Can advertise IPv4 and IPv6 NLRI
- Same process and functionality as OSPFv2
- Multicasts OSPF packets to FF02::5 and FF02::6
- IPv4 and IPv6 both run as independent processes
- Loopbacks have a default cost of 0
- Troubleshooting Commands:
- #show ospfv3 …..
- #show ospfv3 ipv4 database
Enabling OSPFv3
- Enabled at link level
- Command:
- (config-if)#ospfv3 <process> <ipv4 | ipv6> area <area-id>
- Enabling at the interface level, auto-enables at the global level
- Requires a 32 bit Router-ID before process will start
- Enabled under the global process
- Commands:
- (config)#router ospfv3 <process-id>
- (config-router)#router-id <32-bit RID>
[_/su_spoiler]
OSPFv3 LSAs
| OSPFv2 LSA |
OPSFv3 LSA |
Name |
Flooding Scope |
| Type 1 |
0x2001 |
Router |
Area |
| Type 2 |
0x2002 |
Network |
Area |
| Type 3 |
0x2003 |
Summary |
Area |
| Type 4 |
0x2004 |
ASBR Summary |
Area |
| Type 5 |
0x2005 |
External |
OSPF Domain |
| Type 7 |
0x2007 |
NSSA External |
NSSA Area |
|
0x2009 |
Intra-Area Prefix |
Area |
|
0x0008 |
Link |
Link-Local |
LSA Type 8 Link LSA
- Used to advertise link local and global prefixes on a connected segment
- Flooded to local link only
- References LSA Type 1
- No costs associated with LSA
- To display specific LSA type
- #show ipv6 ospf database link
[__/su_spoiler]
LSA Type 9 - Intra-Area-Prefix LSAs
LSA Type 9 - Intra-Area-Prefix LSA
- Used to advertise prefixes and their associations to LSA Type 1 and 2
- Doesn't contain any OSPF topology information
- To display specific LSA type:
- #show ipv6 ospf database prefix
- With the new LSAs, If a stub network is added or removed, a full SPF calculation isn't required
[__/su_spoiler]
[_/su_spoiler]
Encryption and Authentication
Encryption and Authentication
- OSPFv3 offers both encryption and authentication using a separate IPSec process
- ISAKMP isn't supported
- Keys must be manually entered
- SPI
- Security Policy Index
- Provides a sequence number
- Functions similarly to Key-Chain IDs
- Must match between hosts if using either authentication or encryption
- Authentication
- Can use the following for OPSFv3 Authentication
- Authentication Header (AH)
- Encapsulating Security Payload (ESP)
- Null
- Commands:
- (config-if)#ospfv3 authentication ipsec spi <spi-number> <sha | md5> <key encryption type> <32 character hex-string>
- (config-if)#ospfv3 authentication null
- Encryption
- Uses the IPSec ESP process between 2 connected neighbors
- Command:
- (config-if)#ospfv3 encryption ipsec spi <spi> esp <encryption algorithm> <key encryption type> <32 characters hex-string> <sha | md5> <key authentication type> <32 characters hex-string>
- Troubleshooting Command:
- #show crypto ipsec sa ipv6 - Displays the OSPF IPSec Security Associations
[_/su_spoiler]
OSPF Troubleshooting Commands
OSPF Troubleshooting Commands
- #show ip ospf stat – Displays number of SPF computations done for each area
- #show ip ospf interface brief – Displays the brief of interfaces running OSPF
- #show ip ospf database – Displays the OSPF database and LSAs
- #show ip ospf neighbors – Displays list of OSPF neighbors connected to the router and their state
- #show ip ospf – Displays the general OSPF configuration on the node
- #show ip ospf interface <IF> – Displays detailed information about OSPF on that interface
- #show ip ospf virtual-link – Displays Virtual Link configuration
- #show ip route ospf – Displays the OSPF routes in the routing table
- (config-router)#log-adjacency-changes detail – Provides detailed display of adjacency changes
- #clear ip ospf process – tears down OSPF process including neighbors and restarts process
Cisco OSPF Troubleshooting Flowchart
